Doubts about firewall Cisco PIX as VPN termination device
evyncke at CISCO.COM
Wed Jan 17 16:24:54 EST 2001
[Notice my bias by looking at my email address]
At 09:51 17/01/01 -0200, Venicio Vilas-Bôas wrote:
> We have a firewall Cisco PIX. We would like to implement remote
>access. I read at FAQs that " by doing VPN on an existing firewall, you add
>some intense processing to a device whose original purpose was simply
>speaking, to control network access" and I also read that " because of
>security reasons we don't recommend to use the PIX as VPN termination
>device" Then I have some doubts:
No doubts that I wonder where you found this information. A lot of
customers are using PIX has a VPN termination point.
>1 ) Can I use or not firewall Cisco PIX as VPN termination device ? What is
>the security reasons for not using firewall Cisco PIX as a VPN termination
>2) How many VPN sessions a firewall Cisco PIX support ?
If you call an IPSec tunnel (towards a single IKE peer) a VPN session,
it depends on the exact model of the PIX and whether you are using
hardware crypto. You may go up to 2000 tunnels (even more with HW).
>3 ) I have a documentation from Cisco denominated "An introduction to IP
>Security (IPSec) Encryption" , which shows how configure firewall IKE. This
>documentation permits configure ISAKMP SA using pre-shared Keys or CA. I
>would like to know whether this documentation is enough for configure
>firewall Cisco PIX as a VPN trermination device or I need another
Most probably. You may also want to learn more about IPSec to understand
its concepts (like PFS, ...) and mechanisms (this statement obviously
is applicable to any security technology/device/vendor).
>4 ) What differences among using firewall Cisco PIX and Cisco CVPN 3005 as
>VPN termination devices?
Main differences are:
- PIX: is a complete firewall with full auditing, inspection and some IDS
- VPN 3000: has only packet filtering firewalling, but is optimized
(regarding centralized configuration and performance) to handle several
1.000's of remote users (read IPSec enabled mobile PC).
Hope this helps
>I am look forward to hearing from you and thank you in advance for your
>VPN is sponsored by SecurityFocus.COM
Distinguished Engineer Cisco Systems EMEA
Phone: +32-2-778.4677 Fax: +32-2-778.4300
E-mail: evyncke at cisco.com Mobile: +32-475-312.458
PGP Key available on request MOBILE HAS CHANGED ON 11th November 2000
VPN is sponsored by SecurityFocus.COM
More information about the VPN